Subscriptions | RSS Feeds | Discussions | Polls | Site Map




All Threats

Viruses

Hackers

Spam
Whole site    Viruses
  
Virus Encyclopedia
Riskware
Alerts
Analysis
News
Glossary
Weblog

 
Archive

<< 2010  
January February March
     
     
     
About Diary's Authors
About Diary's Authors

The Analyst's Diary is a weblog maintained by virus analysts from Kaspersky Lab headed by Eugene Kaspersky. Find out more about the authors of this weblog.
Poll
How would you prefer to pay for your antivirus solution?
Using a prepay card
Via your mobile (SMS)
Via the Internet using a debit\ credit card
Using cash\ credit\ debit in a shop
Using an e-payment system (e.g. PayPal)
Other
  View responses
 

  Home / Weblog

Analyst's Diary

Linux.Lupper reports


  Costin       November 09, 2005 | 09:48  GMT

comments (1)  

Years ago, I attended a Linux conference. It was the first Linux conference for me, and compared to other similar events, the first thing I noticed was that the atmosphere was pretty relaxed. People were chatting during presentations, drinking beer and hacking the presenter's laptop using a three-day old vulnerability in SSH over WiFi. I've later learned this was your regular Linux/Unix conference, but it looked pretty exotic to a newbie.

One of the presentations was about Unix malware in general, Linux malware in particular. The presenter examined some common Linux rootkits and backdoors, and a Linux virus - but no worms. At the end of the presentation, he pointed out that despite the lack of cases, Linux worms are not only possible but very likely to appear in the future and become as common as, for example, CodeRed. This last statement was received with general (for 'general', read 'loud') disagreement from the audience who pointed out that Linux is more secure than Windows and things like CodeRed can't and will never happen. The speaker sighed but didn't comment - he probably knew better.

Several days ago, we started receiving a flood of packets over port 80 through our honeypot network codenamed "Smallpot". Plain text, no buffer overflow or shellcode involved, they were flagged "low importance" by the automatic analysis system and stayed in the queue for a while until we noticed something was not quite right about them. Generally, we receive tons of port 80 packets containing simple HTTP requests - spammers looking for open proxies or other ways to deliver their messages; it is not that usual to have a worm which is replicating over a port 80 (HTTP) exploit without using a buffer overflow.

Well, Net-Worm.Linux.Lupper is just that. The worm itself is an ELF binary, statically compiled so it runs on most systems and packed with a set of exploits which target vulnerable versions of 'xmlrpc.php' and 'awstats.pl'. These can be found in various Linux distributions (including but not limited to: Gentoo, Mandriva, Slackware, Debian, Ubuntu), but also in older distributions of WordPress, a very popular blogging package.

Another notable thing is that hardware buffer overflow protection such as that built into most recent CPUs from AMD and Intel (using the NX / XD bit) is helpless against such attacks and will not prevent infection with Lupper. Which proves once again that the above solutions, aggressively marketed as "the end to all virus problems", are not quite there yet.

Detection for Lupper.A was added to the antivirus databases on November 6th, the .B variant was added earlier today. Of course, KAV for Linux File Servers with on-access protection enabled prevents infections with Lupper.

 

Copyright © 1996 - 2010
Kaspersky Lab
Industry-leading Antivirus Software
All rights reserved
 

Email: webmaster@viruslist.com